GDPR – Just a storm in a teacup?
On 25th May 2018, the EU General Data Protection Regulation (GDPR) was implemented. According to many, it was going to bring complete chaos to businesses and potentially huge fines for anyone found to be breaching it. Others viewed it as another ‘millennium bug’ event, i.e., an awful lot of fuss and scaremongering which ultimately led to very little happening. Though it was leading to a lot of potential profit for some of the scaremongers who were offering quick-fix solutions to non-existent problems.
The truth, as is often the case, lies somewhere between the two extremes.
If you visit the Information Commissioners website (https://ico.org.uk) you’ll find news articles which show that, in the last year, the ICO has been quite active. They’ve pursued both large and small organisations and even fined individuals for breaching the regulation (and the revised 2018 UK Data Protection Act).
Fines for larger organisations and equivalently larger data breaches have been substantially higher than the previous maximum of £500,000. For example, Marriott International was fined more than £99 million and British Airways fined £183.39 million for breaches of the Act. You’ll also see more modest organisations have been fined tens of thousands of pounds and individuals as much as £25,000.
Perhaps of greater significance to smaller organisations was the announcement in November 2018 that the ICO had begun issuing fines to organisations that process personal data. These fines were for not registering with them and paying the appropriate data protection fee. Between September 2018 and the announcement, the ICO had issued more than 900 notices of intent to fine, with more than 100 penalty notices already issued.
Becoming GDPR Compliant
My PerformancePlus colleagues have worked with many of our existing clients (and some new referrals) to both allay some of the fears generated by GDPR and also to ensure (as far as is possible with a slightly ambiguous Regulation) that they all were compliant. For the vast majority of clients, this was a relatively simple exercise. We made sure:
- they knew what personal data they were processing,
- what legal reason they had for so doing,
- where they were keeping it (and ensuring that this was secure),
- what would happen to the data when there was no longer any justification for keeping it.
Along with some simple processes to ensure that incidents and valid access requests were being properly dealt with.
This ensured that our clients could ‘sleep soundly’ and didn’t incur huge costs (and should avoid any potential data breaches). We also like to think that there are no storms in their teacups, and they can drink their tea in peace!
If you’re looking for practical help with issues around information security, data protection then why not give us a call on 01284 300400 or email email@example.com. You might even want to consider the benefits of certification under ISO 27001, the International Standard for Information Security.